kolla

CI: pin opensearch until auth between haproxy and opensearch works

Bug #2060668 reported by Sven Kieske on 2024-04-09

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	kolla	Fix Released	Undecided	Sven Kieske

Bug Description

Hi,

just to better track, see original attempt at a fix here:

https://review.opendev.org/c/openstack/kolla-ansible/+/915119

This is currently blocking CI, so we concluded to pin to version 2.12 for now.

The issue is, that we do authenticate only to haproxy. we probably need to forward the X-Auth-User header to the opensearch backend and configure opensearch to accept the forwarded auth by haproxy for the CI opensearch dashboard test to work again.

Sven Kieske (s-kieske) on 2024-04-09

Changed in kolla:
assignee:	nobody → Sven Kieske (s-kieske)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-04-09: Fix proposed to kolla (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/kolla/+/915322

Changed in kolla:
status:	New → In Progress

Revision history for this message

Sven Kieske (s-kieske) wrote on 2024-04-09:

we should implement a real solution soonish(TM), upstream 2.13 release of the dashboards also fixed some CVEs:

https://github.com/opensearch-project/OpenSearch-Dashboards/blob/2.13/release-notes/opensearch-dashboards.release-notes-2.13.0.md

I didn't look into the details how grave they are though.

Revision history for this message

Sven Kieske (s-kieske) wrote on 2024-04-09:

For the longterm solution I think making opensearch accepting the haproxy auth headers could work via this: https://opensearch.org/docs/latest/security/access-control/impersonation/

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-04-15: Fix merged to kolla (master)

Reviewed: https://review.opendev.org/c/openstack/kolla/+/915322
Committed: https://opendev.org/openstack/kolla/commit/19a004e0a500ea4839fa1e089e1c50c953cec3b3
Submitter: "Zuul (22348)"
Branch: master

commit 19a004e0a500ea4839fa1e089e1c50c953cec3b3
Author: Sven Kieske <email address hidden>
Date: Tue Apr 9 14:11:54 2024 +0200

CI/Master only: pin opensearch{-dashboards}

    pin opensearch and opensearch-dashboards to 2.12. for now
    Closes-Bug: #2060668
    Related-Bug: #2060306

Change-Id: I3df4823d78474d94e138ff73f0f577bd247bdad0
Signed-off-by: Sven Kieske <email address hidden>

Changed in kolla:
status:	In Progress → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.